The knock on NAC

There were high hopes for network access control but complexity and lack of standards have slowed its adoption

Three years ago, network access control was the big buzzword in security.

NAC's goal was to ensure PCs and other devices knocking on the network door had the latest patches, antivirus and spyware upgrades before allowing entry, thus blocking dangerous malware.

Call it the firewall behind the firewall. Some even thought NAC was the way to unify all endpoint security. It hasn't turned out that way.

"It's a slow uptake," acknowledges James Quin, a senior research analyst at Info-Tech Research of Canada, who specializes in security. "I wouldn't say there are a large number of organizations that are implementing NAC. They're certainly not implementing it with any fervour."

NAC proved to be a lot harder to implement than network technicians realized for a number of reasons, says Phil Hochmuth, a senior analyst with the Yankee Group.

"The issues of how do you protect all the different types of machines that can plug into a corporate network - IP phones, printers, non-Windows-based machines, Macs - made things more complicated."

A lack of standards has hurt - there's versions from Cisco, Juniper, Microsoft, the Trusted Computing Group and one in the works from the IEEE. And there were reliability problems, such as false positives, which inhibited rather than increased productivity of users knocked offline.

A recent study by Hochmuth of three early appliance-based NAC adopters found two of them praising the technology for policing access to secured segments within the enterprise, but less enthusiastic about using it for blocking questionable devices. Yet Forrester Research found that only four per cent of enterprises it surveyed that had started NAC projects actually finished them.

Network managers and vendors haven't given up on NAC, but its problems demonstrate the ever-changing landscape of endpoint security.

NAC has ended up being swallowed by some of the leading endpoint protection names as part of a new generation of security platforms.

It's not hard to see why. According to Gartner, even the best malware signature databases can miss threats as much as 10 per cent of the time, and most have less than a 50 per cent chance of catching completely new threats. Then two years ago, McAfee Total Security emerged, unifying these and other weapons under its ePolicy Orchestrator console. Other security firms ­responded, the latest September's release of Symantec Endpoint Protection 11.0.

As Gartner observed in a recent report on what it calls enterprise endpoint protection platforms, the number of competitors is expanding. Joining the traditional trio that has 85 per cent of the market (McAfee, Symantec and Trend Micro) are newcomers like BigFix, Bit9, eEye Digital Security, as well as Microsoft and IBM. Also expanding are their features to include encryption, data loss prevention tools and NAC.

Now, alongside device compliance, NAC fits in with a host of defence weapons such as advanced firewalls with audit capabilities and protections to ­ensure that the firewall policy is active, detailed event logs, co-ordination with malware protection for the rapid defense of unpatched vulnerabilities and wireless firewall policies, such as enforcing one active network interface card (NIC) to avoid LAN-to-wireless-LAN bridges.

Join the newsletter!

Error: Please check your email address.

More about BigFixCiscoeEye Digital SecurityForrester ResearchGartnerIBM AustraliaIEEEJuniper NetworksMacsMcAfee AustraliaMicrosoftNICSymantecTrend Micro AustraliaUnifyWikipediaYankee Group

Show Comments

Market Place